I'm testing out IPS 7.0.1 and Global Correlation on one of my smaller remote offices, but want to confirm that it would actually drop malicious traffic before rolling it out to 15+ other sensors.
I've configured the sensor, and have used the "show stat global" and "show stat analysis-engine" to ensure that I'm getting the latest databases.
However, like I said this is a small office, and (thankfully) there's no malicious traffic for the IPS sensor to drop. I'm sort of in a catch-22 here.
I was going to configure a test PC to use the remote office's proxy server (thus flowing its traffic through the IPS sensor) and then try hitting some known malicious domains. That, of course, runs the risk of infection and is hit-or-miss anyways.
Are there are test sites or IP addresses in the Ironport database that I can use to prove that its working (sort of like the EICAR virus test file)
Something like testGC.ironport.com that goes to a single unused IP address somewhere.
If not, can you guys add one? It would certainly speed our deployment process, and would probably be helpful for TAC, too. This could also be used by the ASA botnet filter.
Now I understand more of what you are needing.
This is good customer feedback for us.
I entered an enhancement request to add a command for testing sensor connectivity to the servers for Global Correlation. So it can be considered for a future IPS version.